Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
The registry stores information necessary to configure the operating system for applications and hardware devices. The registry also contains information that the operating system continually references during operation.
Exponential Backoff Registry Settings
The HKEY_LOCAL_MACHINE\Comm\Security\LASSDregistry key is used to enable the LASS exponential backoff mechanism. This mechanism is designed to deter brute force attacks that rapidly try several authentications on a LAP by introducing an exponentially increasing time delay between unsuccessful consecutive attempts of the VerifyUsercall to a LAP.
The time delay or lockout time is calculated by using the following expression:
Copy Code | |
---|---|
(InitialPenalty + (2^(Number of failures above Threshold)) * IncrementalPenalty) |
The following table shows the named values.
Name | Type | Description |
---|---|---|
InitialPenalty |
REG_DWORD |
Time, in seconds, for the initial penalty. Default value is 0. |
Threshold |
REG_DWORD |
The number of failures before the exponential backoff mechanism is activated. Default value is 0. This indicates that exponential backoff is disabled. |
IncrementalPenalty |
REG_DWORD |
Time, in seconds, of the multiplier for the exponent. Default value is 0, indicating that there is no delay beyond the value set for InitialPenalty. |
LAP Codeword and Device Wipe Registry Settings
The HKEY_LOCAL_MACHINE\Comm\Security\LASSDregistry key is used to configure the LASS settings for codeword functionality and the threshold for device wipes. After a number of failed password attempts, defined by the CodeWordFrequencysetting, the device completely locks up and prompts the user to enter a displayed codeword to unlock it again. The purpose of the codeword prompt is to be sure that the incorrect password attempts are not the result of accidental key presses. After entering the displayed codeword, the user is then able to make more password attempts. Once the device wipe threshold is reached, the device wipes the memory, including all data and certificates.
Note: |
---|
Do not implement a code word that includes Double Byte Character Set (DBCS) characters. While the CodeWord registry node will accept DBCS characters, users cannot enter DBCS characters on a device. |
The following table shows the named values.
Name | Type | Description |
---|---|---|
CodeWordFrequency |
REG_DWORD |
The number of times an incorrect password can be entered before a displayed codeword must be entered to continue. This is to prevent accidental password entry resulting in a local device wipe. If the registry key either does not exist or is set to 4294967295 (0xFFFFFFFF), this policy is not enforced. |
CodeWord |
REG_SZ |
Codeword that the user will be requested to type. |
DeviceWipeThreshold |
REG_DWORD |
The number of authentication failures before the device will be wiped. A value of 0 disables device wipe functionality. |
LAP Installation Registry Settings
To install a new LAP, add a new subkey to the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAPregistry key that specifies the user-defined name for the new LAP. Use the Dllvalue for the subkey to specify the location for the LAP.
In the following example, lap_scardis the user-defined name for the new LAP, and the Dllvalue indicates the name of the LAP DLL.
Copy Code | |
---|---|
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_scard] "Dll"="lap_smartcard.dll" |
The following table shows the named values.
Name | Type | Description |
---|---|---|
Dll |
REG_SZ |
The name of the DLL for a LAP that you want to install. |
LAP Activation Registry Settings
Installing a LAP does not make it active. To make the LAP active, you must activate it after installation. Specify the active LAP by using the ActiveLapvalue under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAPregistry key.
In the following example, ActiveLapis set to lap_scard, which is the subkey that specifies the name of the LAP DLL.
Copy Code | |
---|---|
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP] "ActiveLap"="lap_scard" |
The following table shows the named values.
Name | Type | Description |
---|---|---|
ActiveLap |
REG_SZ |
A key in the LAP tree. The value of the DLL in the LAP tree specifies the DLL that LASS will load. |
LAP Password Settings
The length and type of a password can be enforced on the Microsoft Default LAP using the MinimumPasswordLength and PasswordComplexity settings under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP\lap_pwregistry key. These settings will only be enforced if PasswordNotRequiredis set to zero (0).
In the following example, the minimum length of the password is set to 9 characters and the complexity is set so that a strong password is required.
Copy Code | |
---|---|
[HKEY_LOCAL_MACHINE\Comm\Security\LASSD\LAP] "MinimumPasswordLength"="9" "PasswordComplexity"="0" |
The following table shows the settings and values.
Name | Type | Description | ||
---|---|---|---|---|
MinimumPasswordLength |
REG_DWORD |
Sets the minimum device password length the user can enter. The length is measured in characters and can be set to any number less than or equal to the maximum number of characters allowed. Entering zero (0) for MinimumPasswordLengthresults in the default setting of 1.
This value works in conjunction with security policy 4131, which when set to zero (0) indicates that password enforcement is required on the device. If password enforcement is not required, the value of MinimumPasswordLengthis ignored. |
||
PasswordComplexity |
REG_DWORD |
Sets the complexity of the Device Password. The following list shows the possible values:
Setting this parameter with the Exchange Security Manager results in a setting of zero (0) or 2. It is not possible to set this parameter to 1 using the Exchange Security Manager. |
AE Registry Settings
To install a new authentication event (AE), create a subkey with the GUID of the AE under the HKEY_LOCAL_MACHINE\Comm\Security\LASSD\AEregistry key. For examples, see Installing an AE.
The following table shows the named values.
Name | Type | Description |
---|---|---|
FriendlyName |
REG_SZ |
String that indicates to the user what the AE represents. |
DisplayText |
REG_SZ |
String that indicates the name of the application that is verifying the user in a call to VerifyUser. |
AEFrequencyType |
REG_DWORD |
Type of frequency policy used to control an AE. It can be any one of the following values, and AEFrequencyValueis interpreted differently based on each value:
|
AEFrequencyValue |
REG_DWORD |
Value indicating how often user authentication will occur. The interpretation of AEFrequencyValuedepends on the value of AEFrequencyType. For more information about how AEFrequencyTypeand AEFrequencyValueare related, see Setting an AE Policy. When AEFrequencyTypeis set to 0, AEFrequencyValuehas the following special cases:
|
Authentication Reset Settings
The Authentication Reset Settings determine whether a device can be reset by RemoteWipe. The messages displayed to users can be customized for authentication reset in the default Local Authentication Plug-in (LAP). All keys listed in the table are located in the path HKEY_LOCAL_MACHINE\Comm\Policy\LASSD\AuthReset.
Name | Type | Description |
---|---|---|
AuthenticationReset |
REG_DWORD |
Specifies whether or not to allow authentication reset on the device. If this setting is enabled, the Reset Password option appears in the password menu.
|
RequestMessage |
REG_SZ |
This message is displayed to the user before the reset process begins. If no message is specified, a default message is displayed. |
RequestSuccessMessage |
REG_SZ |
This message is displayed if the reset process completes successfully. If no message is specified, a default message is displayed. |
RequestFailureMessage |
REG_SZ |
This message is displayed if the reset process fails. If no message is specified, a default message is displayed. |
RecoveryMessage |
REG_SZ |
This message is displayed in the Recovery PIN entry dialog. If no message is specified, a default message is displayed. |
RecoveryPhone |
REG_SZ |
This is a secondary string to be displayed following the recovery message. |
LAP Password Hash Registry Settings
These registry settings identify the algorithm used by LAP, as well as the provider type and provider name. All keys listed in the table are located in the path HKLM\Comm\Security\Policy\LASSD\LAP\lap_pwor
HKLM\Comm\Security\LASSD\LAP\lap_pw
Name | Type | Description |
---|---|---|
LAPHashAlgorithm |
REG_DWORD |
The identifier of the algorithm the LAP uses to hash the device password and admin key. OEMs can update this if new algorithms are installed on the device. The value used when creating a new password hash is stored in the registry with the password. The LAP uses 0x800C (CALG_SHA_256) if this value is not set. By default the value is not set. Algorithm identifiers are defined in Wincrypt.h. The algorithm must have the ALG_CLASS_HASH bit set and may not include the following hash types: ALG_SID_MD2, ALG_SID_MD4, ALG_SID_MD5, ALG_SID_SHA, ALG_SID_SHA1, ALG_SID_MAC, ALG_SID_RIPEMD, ALG_SID_RIPEMD160, ALG_SID_SSL3SHAMD5, ALG_SID_HMAC, ALG_SID_TLS1PRF, ALG_SID_HASH_REPLACE_OWF If any of the disallowed hash types are specified, the default value is used. |
LAPProviderType |
REG_DWORD |
The dword specifying which encrypt provider type the LAP will specify when calling CryptAcquireContext() for all of its cryptographic functions. OEMs can update this as needed. The value used when creating a new password hash is stored in the registry with the password. The LAP uses 24 (PROV_RSA_AES) if this value is not set. By default the value is not set. Cryptographic service providers are defined in Wincrypt.h. The provider must support the algorithm specified in the LAPHashAlgorithmregistry value or the default hash algorithm if none is specified. |
LAPProviderName |
REG_SZ |
The name of a cryptographic services provider that supports the hash algorithm specified in the LAPHashAlgorithmregistry value. OEMs can update this if new providers are installed on the device. The value used when creating a new password hash is stored in the registry with the password. The ARC uses the default provider if this value is not set (see documentation for CryptAcquireContext). By default the value is not set. The specified provider must be the type of provider specified in the LAPProviderTyperegistry value, or the default type if none exists. It must support the algorithm specified in the LAPHashAlgorithmregistry value or the default hash algorithm if none is specified. |
Calling Customer Care for Device Unlock Settings
On the Device Unlockdialog box, you can set up a customer care number for customers to dial who have forgotten their unlock key. To set up this option, use the following two registry values.
For the first value, the key is [HKEY_Local_Machine\Security\ResOver]and the value characteristics are:
Name | Type | Description |
---|---|---|
101 |
REG_SZ |
Message to display about the customer care call. The default is a blank message. |
For the second value, the key is HKEY_Local_Machine\Security\LASSD\LAP\lap_pw]and the value characteristics are:
Name | Type | Description |
---|---|---|
CustomerServiceNumber |
REG_SZ |
The number to store on the device and dial when Call Customer Serviceis selected from the device unlock dialog box. |